We don't need the law! We have a British Standard!
Yes, it looks as if implementation of the UK's Data Protection Act 1998 is going to be outsourced to the British Standards Institution. Richard Thomas may retire and the entire Information Commissioner's Office is to be made redundant.
If this pilot scheme is successful the next government department to be outsourced to the BSI will be the Metropolitan Police, on the basis that the BSI is unlikely to enforce the offence of "Attempting to Travel On the London Underground While Being Brazilian" with capital punishment, nor will it be likely to be stopping and searching artists while going about their business.
We do not have a British Standard for not murdering people, nor for not breaking the speed limit while delivering goods by van. But it seems we are about to have BS DPC 10012 as a Specification for the management of personal information in compliance with the Data Protection Act 1998.
This is a "British Standard for Not Breaking The Data Protection Act 1998"!
If you want, you can comment on the draft here.
I am aghast at the huge waste of effort. A team of good people has sat in a stuffy room and drafted this. They've drafted it well, there can be no dispute about that, but they've spent time doing it! And this is just what we need at present, isn't it?
Yes, the retailers are slamming their doors in the high street, businesses are going into administration daily, and we need, gosh, yet another piece of Emperor's New Clothes, don't we.
Of course other experts will pay lip service to this. You can't be seen to be objecting to something that is for our own good, can you?
How will this new standard prevent data losses on the scale we've seen in 2008? How will it ensure good practice is put into place?
What is the point? Far better to concentrate this effort into real compliance!
Or am I so wrong about this?
8 comments:
So we need better compliance? I think that's why a group of people sat in a room and thought about what would help achieve better compliance .. given the complexity of UK dp law .. it's myriad of interpretations ... the lack of consistent and concise advice from regulators .. anything that helps simplify matters is welcomed ... at least people have the ability to comment on the proposed standard .. whether it will see the light of day is another matter though.
What we need is case law. We need prosecutions, not a standard.
We get a new Information Commissioner in July. I wonder if he will be a Chihuahua or a Rottweiler?
I agree that more robust enforcement will help promote awareness of the DPA and encourage organisations to comply. However, not all organisations can afford to hire consultants or lawyers to wade through the myriad and at times conflicting advice and guidance ....... better compliance can helped by better guidance ...... it remains to be seen if the new commissioner will be any tougher .... thw rod is that Whitehall wanted someone less tough than Richard Thomas has been!
"Less tough" will be rather hard to find, I fear. Upsetting Mr Thomas is rather like being cuddled to death by your favourite uncle.
Data protection, for all I am a consultant specialising in it, is largely common sense and good business practice. It's not difficult, nor is it arduous to implement, it just requires, usually, a minor shift of emphasis, and an understanding that the organisation serves the individual.
Strong and consistent enforcement of the law can only be a good thing. I do not perceive the BSI as a competent body to provide guidance which is any legal protection. To do that we need case law, however idiosyncratic judgements can be, not that I ever spell "Durant" correctly the first time!
I think your comment suggests that you need to update your understanding of what a standard is.
1. Compliance with a standard is voluntery.
2. Standards tend to get developed at the wish (demand) of stakeholders who think that such a thing can help.
3. It is rae for standards to exist in isolation or exclude other tools, options or choice
I don't think there is a need to get personal, you know.
1) Compliance with a standard may be voluntary, but it is also provided as a defence, seeking to mitigate risk in law.
2) Standards also get developed by people who view the participation in the development of a standard will help their employment prospects. Who, here, are the stakeholders? And who determined that these people should create this thing?
3) It is not wholly useful to have a standard for compliance with a law, despite the fact that the law gives context to the standard.
What I can't fathom at present is whether you are in favour of or against the draft standard, and for or against the law here. Well, assuming you three "anonymous" people are the same person, that is :)
Hi Tim,
3rd anonymous comment was not made by me .. and I wouldn't get personal.
I do believe that a privacy standard would help organisations in establishing an effective privacy management framework (rather like IS0 27001/27002) ..... whether I believe the current proposal is the right one is another matter. An effective standard would also help consumers and 'citizens' have confidence in an organisations practices ..... just look at the confusion caused by 'tust' seals ......
I don't share your view that standards are proposed by self serving individuals ....
Perhaps the various international DPAs were wrong to suggest a global privacy standard at the Montreux conference in 2005 .. the DPAs argued for the 'development of effective and universally accepted international privacy standards as a mechanism for assisting parties to establish and demonstrate compliance with legal requirements of a dataprotection and privacy nature'.
Good luck.
I'm glad "anon #3" is not you. Er, I think! Doesn't it get fun when people all say "I am the anonymous one!"
I see, perhaps, why a full international standard for the entire directive might be of use. After all, if the nations find it impossible to harmonise this directive into law, what chance does anyone stand.
I've often shared a conference platform with a notable law firm who have stated "It is impossible to comply with data protection legislation in Europe, let alone worldwide."
Assuming that top be true, and I see every reason to suppose that it is, taking Germany, Spain, Sweden and the UK as random examples of alleged compatibility, and ignoring non EC nations entirely, how on earthy will a standard mean that folk will be compliant with "the law"?
My comment that you have paraphrased quite reasonable to be "self serving individuals" was not entirely tongue in cheek. Such committees are great career fodder. I imagine that sitting in such a committee might, in some eyes, have enhanced my own consultancy work, for example. The fact is that it would not have, but perception is reality.
I believe that what is required is a strong regulator with real powers. I'm not averse to the Spanish model - the Traffic Warden on Commission if you like - to restore confidence in security of data, and believe that some high profile prosecutions would do far more good than any standard.
Post a Comment